Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


w00tw00t.at.blackhats.romanian.anti-s
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

w00tw00t.at.blackhats.romanian.anti-s

logixmedialogixmedia Member
edited November 2012 in General

I am seeing a lot of "w00tw00t.at.blackhats.romanian.anti-sec" in my Apache logs, Debian Server.. It is slowing my server i guess, as I am not able to pinpoint why the pages are loading slow sometimes from this server.

Have googled and referred to some links, but was not really helpful:
http://serverfault.com/questions/125607/dealing-with-http-w00tw00t-attacks
http://ubuntuforums.org/showthread.php?t=1541215

Any help will be appreciated....

Comments

  • Same with me.
    Just block their IP

  • Well the IP's are changing frequently..............(:

  • Could you try to install csf or another firewall?

  • Can you suggest me some good tutorial to configure CSF ?

  • marcmmarcm Member
    edited November 2012

    @praveenbhat - Those pesky Romanians are a real problem. I guess that they are some gang of "putzoi"...

  • corpuscorpus Member
    edited November 2012

    You can use fail2ban to ban them
    in /etc/fail2ban/jail.local add

    
    [apache-w00tw00t]
    enabled  = true
    filter   = apache-w00tw00t
    action   = iptables-allports
    logpath  = /var/log/apache*/*error.log
    maxretry = 1
    

    and create /etc/fail2ban/filter.d/apache-w00tw00t.conf
    With

    
    [Definition]
    
    # Option:  failregex
    # Notes.:  regex to match the w00tw00t scan messages in the logfile.
    # Values:  TEXT
    failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.DFind.*
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    ignoreregex =
    
    
  • For iptables only

    cat /your/apache/log/file | grep "w00tw00t" | egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | awk '{print "iptables -I INPUT -s " $1 " -j DROP"}' | sort | uniq > ips.ban
    chmod +x ips.ban
    sh ips.ban
    
  • logixmedialogixmedia Member
    edited November 2012

    @marcm what is "putzoi"....lol

    But they scan for couple of PHP applications ...ex-PHPadmin kind of stuff...

  • @praveenbhat said: @marcm what is "putzoi"....lol

    I think it's some kind of prepubescent boy who hasn't gotten their pubes in yet...

  • corpuscorpus Member
    edited November 2012

    why my post is looks like shit?
    I select and click on code right?

  • use html tag

  • InfinityInfinity Member, Host Rep

    Lol yeah - it's annoying but easy to solve.

  • I also have those a lot, most of the time combined with PHPmyAdmin searches. I block the entire /16.

  • You could use mod_sec rules to block them also.

  • DennisdeWitDennisdeWit Member
    edited November 2013

    Dear users,

    W00Tw00t seems to be an user or so who mostly hacks old ZPanel versions. My homeserver has been hacked too. In that way, he got root access and put up a fake Apple site. Here's some nice information about our lovely user.

    $from_name = 'iTunes'; $from_email = '[email protected]'; $to_email = '[email protected]'; $subject = 'iTunes offer'; $url_redirect = 'https://store.apple.com/fr/';

    And a really nice IP-address:

    41.250.243.198

    It seems the user found my server on LET. So you should be warned.

    Thanked by 1ErawanArifNugroho
  • I also have those.. about 2 months ago, but I reinstalled my server and the log never appear until now

  • hey, it is remote scanner right?? I wonder why it is gone after I reinstalled my server??

  • Yes, it's gone. However, the hacker installed a backdoor at mine, where he kept uploading the phishing websites. I found his name and lastname, his IP and where he lives.

Sign In or Register to comment.